On Sun, May 27, 2018 at 1:16 AM Christoph M. Becker <cmbecke...@gmx.de>
wrote:
> On 25.05.2018 at 12:28, Christoph M. Becker wrote:
>
> > if ($_GET['action'] == 'newsession') {
> > $session_name = getNewSessionName(); // user-defined function
> > session_name($session_name);
> > session_regenerate_id();
> > header('Location: ' ….); // restart script to use new session name
> > and id
> > exit;
> > }
> >
> > Why even call session_name($session_name) here? To my knowledge, this
> > is a no-op in this case (assuming a session has already been started).
>
> I have to correct myself. Actually, the call to session_regenerate_id()
> did change the session name (i.e. the cookie etc.) I'm still not
> convinced, that this BC break should be reverted.
>
Session module uses a few INI settings to work. As we know, INI values are
stored in modules global structure.
Since session works uses INI values as "Parameters" for module and its
submodules
while it is active, modifying these INI values caused number of unwanted
misbehaviors/crashes. i.e. It's side effect of changing globals.
These INI values must not be changed in the first place, but session module
didn't have proper internal state management. Since these side effects won't
be problem unless users abuse/misuse them, it was left until 7.2.
7.2 protects module globals (PS(session_name) is one of them) to prevent
abuse/misuse. Any function calls that cause side effects raise ERROR as
described in UPGRADING.
Since 7.2 prohibits harmful calls, users protected from some of very
hard to debug problems, e.g.
- Works in a environment, but not in other
- Works mostly, but fails sometimes
Even when users are affected by this change, there are ways to write code
that work in any PHP versions.
session_name('new_name') can be called while session is inactive in this
case. i.e. session_commit(); session_name('new_name'); session_start();
Regards,
--
Yasuo Ohgaki
yohg...@ohgaki.net
